Question After upgrade PHP-FPM has high cpu usage.

[randypetersen]

Server operating system version

Ubuntu 22.04.3 LTS - Amazon Web Services - LightSail

Plesk version and microupdate number

Plesk Obsidian Version 18.0.54 Update #3, last updated on Aug 15, 2023 10:19 PM

We upgraded from:
Your OS version Ubuntu 16.04.7 LTS
Plesk version Plesk Obsidian Version 18.0.34 Update #2, last updated on Mar 26, 2021 06:27 AM
We were on a 2 vCPU AWS LightSail plan and now on a 4 vCPU plan.
Our CPU usage was always very low and now despite the CPU upgrade we are much higher CPU usage. We are using PHP 8.0.30 and running PHP as FPM application served by nginx.

I followed this thread and enabled fail2ban / IP Address Banning (currently 18 banned IPs) and Web Application Firewall. Little to no improvement.

We have only 20 websites - most are testing/junk... If I open up the same (blank wordpress website - no plugins - standard theme) site on multiple machines I can get over 10% usage on that user/domain. Is that correct? We got 10 or 20 users (according to analytics) on the site and that's taking over 50% cpu? I know our sites aren't that efficient with WordPress/woocommerce/elementor and plugins... but basic WordPress sites are the same. So I can't really even blame a particular site/plugin. At this second our CPU is 3.8% so it's not and kind of sustained DDOS as far as I can tell... It's just that when users access the site, it hits our server hard even on a simple WordPress site.

I am sure I set up / configured the server wrong since it wasn't an issue since the upgrade and we now have more vCPUs... we were on PHP 7.3.27 before if that matters. I remember on a different server I accidently left some logging on and everything was taking more time than it should until I took it off, but not sure what's wrong here... I only have a basic understanding of this, but would appreciate a direction to look/research to improve our site speed and CPU usage.

Thanks for any input!

 

[Peter Debik]

Please check /var/log/error_log and /var/log/access_ssl_log for suspicious activities, e.g. lots of requests coming from the same IP address (unless it is your own). When a website creates many PHP-FPM instances and never terminates them, this is normally a sign for bad bots hitting the website or other attack types, mostly against Wordpress websites. For example are there frequent access attempts on xmlrpc.php?

Another reason for strong PHP-FPM usage are inconsistencies in the URL spelling (non-www/www, non-SSL/SSL) or missing files. These can create endless loops, when such resources are included in a page.

 

[randypetersen]

Thanks very much for the fast response Peter, it's appreciated!

Quick question: so according to analytics we got about 10 users in the last 30 minutes . According the PLESK process list, we have 7 PHP-FPM processes around 5.8% CPU each. Is that normal? does each visitor get a PHP-FPM process?

When we don't have any visitors, we don't have any PHP-FPM processes, so it's not like the don't get terminated. I can go to one of my simple blank websites on a few different machines and it will create a couple PHP-FPM processes. After a while, they terminate.

Are you talking about the logs for each domain under logs folder or server side logs?

error_log had was populated with a log of modsecutity issues:

[Wed Aug 16 19:05:25.299332 2023] [:error] [pid 177808:tid 140218527049280] [client 103.30.212.11:0] [client 103.30.212.11] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_COOKIES_NAMES. [file "/etc/apache2/modsecurity.d/rules/comodo_free/26_Apps_WordPress.conf"] [line "155"] [id "225170"] [rev "3"] [msg "COMODO WAF: Sensitive Information Disclosure Vulnerability in WordPress 4.7 (CVE-2017-5487)||hawkadelic.com|F|2"] [severity "CRITICAL"] [tag "CWAF"] [tag "WordPress"] [hostname "hawkadelic.com"] [uri "/wp-json/wp/v2/users/"] [unique_id ""], referer: http://hawkadelic.com///wp-json/wp/v2/users/

Is that just normal prevention stuff?

access_ssl_log looked pretty normal - most IPs I looked at were listed around 150 times - just normal browsing?
108.160.216.xxx - - [16/Aug/2023:22:02:05 +0000] "GET /wp-content/plugins/revslider/public/assets/js/rs6.min.js?ver=6.6.14 HTTP/1.0" 200 822 "Beat State – Hawkadelic..." "Mozilla/5.0 (Linux; Android 13; SM-S906U Build/TP1A.220624.014; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/115.0.5790.166 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/427.0.0.31.63;]"

don't see any reference to xmlrpc.php in those logs

the reason I don't think it's bots, is because when my analytics shows zero, the CPU is also very low... and PHP-FPM processes are gone - but I don't know!

Now your mentioning of URL spelling has me intrigued. It seems like any traffic to the server causes a large impact on the CPU usage. After I setup the new server I didn't do the DNS routing the same. I am using a reusable delegation set for Route53. I used to put in a domain into PLESK sync it with Route53 then take the name servers from Route53 and I put it into my domain registrar (godaddy for most). Now I put in my reusable delegation set into my registrar and it seemed to work ok. Could that be slowing things down / increasing CPU usage server wide?

I want to dig into each site, but they files haven't changed since it was performing ok, and even blank sites pop up taking a lot of CPU. I could be wrong though... I am sure PLESK is operating fine, I just got something misconfigured... or something...

Thanks again for any help!

 

[randypetersen]

Followed the instructions here:

https://support.plesk.com/hc/en-us/articles/12377282594199

and got a few IPs with a high number, but nothing too crazy if I am looking at it right.

 

[randypetersen]

Couple quick questions for today, if anyone has any ideas for me.

Looking at the process list today, I see several (5 or 6 out of my 19 sites) php-fpm processes that are for websites that are just blank wordpress sites. Each process around 3%, I have a hard time understanding why a blank website that most likely has no visitors would be using using so much CPU. Anyone have any thoughts? They'll go away in time, but not sure why they'd impact the CPU so much.

Anyone have any recommendations on hiring a consultant to take a quick look at our server? I normally didn't have any issues with our normal day-to-day stuff, but this issue is beyond my capabilities. I still think it's a server issue and not just inefficient websites, although that is part of it I am sure. I got a feeling a pro would look at it be able to figure out what's going on in a short time. I am sure it's something I did wrong as I set up the server, first plesk instance was a lightsail built instance and cpu usage was low. However we needed to update and that was was ubuntu16.

Thanks,
Randy

 

[Daiv]

Couple quick questions for today, if anyone has any ideas for me.

Looking at the process list today, I see several (5 or 6 out of my 19 sites) php-fpm processes that are for websites that are just blank wordpress sites. Each process around 3%, I have a hard time understanding why a blank website that most likely has no visitors would be using using so much CPU. Anyone have any thoughts? They'll go away in time, but not sure why they'd impact the CPU so much.

Anyone have any recommendations on hiring a consultant to take a quick look at our server? I normally didn't have any issues with our normal day-to-day stuff, but this issue is beyond my capabilities. I still think it's a server issue and not just inefficient websites, although that is part of it I am sure. I got a feeling a pro would look at it be able to figure out what's going on in a short time. I am sure it's something I did wrong as I set up the server, first plesk instance was a lightsail built instance and cpu usage was low. However we needed to update and that was was ubuntu16.

Thanks,
Randy

Hey Randy, I see this was a few months ago. Did you ever find a solution to this? I'm having a similar issue.

 

[Peter Debik]

Processes can be started and used by auto-maintenance of Wordpress.